Authentication Methods
Client Secret Basic
When using client_secret_basic
on token or introspection endpoints, provide anAuthorization
header with a Basic auth value in the following form:
Authorization: "Basic " + base64( formUrlEncode(client_id) + ":" + formUrlEncode(client_secret) )
Given the client_id 78366401571920522@amce
and client_secret veryweaksecret!
, this would result in the following Authorization
header:
Basic NzgzNjY0MDE1NzE5MjA1MjIlNDBhbWNlOnZlcnl3ZWFrc2VjcmV0JTIx
JWT with Private Key
When using private_key_jwt
(urn:ietf:params:oauth:client-assertion-type:jwt-bearer
) for token or introspection endpoints, provide a JWT as assertion generated with the following structure and signed with a downloaded key:
Key JSON
Key | Example | Description |
---|---|---|
type | "application" | The type of account, right now only application is valid |
keyId | "81693565968962154" | This is unique ID of the key |
key | "-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----" | The private key generated by ZITADEL, this can not be regenerated! |
clientId | 78366401571920522@acme | The client_id of the application, this is the same as the subject from tokens |
appId | 78366403256846242 | The id of the application (just for completeness, not used for JWT) |
{
"type": "application",
"keyId": "81693565968962154",
"key": "-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----",
"clientId": "78366401571920522@acme",
"appId": "78366403256846242"
}
JWT
Claim | Example | Description |
---|---|---|
aud | "https://{your_domain}" | String or Array of intended audiences MUST include ZITADEL's issuing domain |
exp | 1605183582 | Unix timestamp of the expiry |
iat | 1605179982 | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h |
iss | "78366401571920522@acme" | String which represents the requesting party (owner of the key), normally the clientID from the json key file |
sub | "78366401571920522@acme" | The subject ID of the application, normally the clientID from the json key file |
{
"iss": "78366401571920522@acme",
"sub": "78366401571920522@acme",
"aud": "https://{your_domain}",
"exp": 1605183582,
"iat": 1605179982
}
To identify your key, it is necessary that you provide a JWT with a
kid
header claim representing your keyId from the Key JSON:{
"alg": "RS256",
"kid": "81693565968962154"
}